Open gmiklich opened 1 year ago
Thanks for the suggestion, we'll consider this in our future planning.
If you need the CORP header today, I imagine you probably could accomplish this with a middleware that would look for requests to the check session endpoint and add the header to the response.
I guess we'd need to expose this as a new option to allow all 3 heaver values:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy
Duende IdentityServer 6.2.0
This is just a question, not a bug.
If an app adds a COEP header to
require-corp
, the check session iframe will be blocked. CORS is already implemented, but is there any thought of adding a CORP header for allowing cross origin requests for certain endpoints (such as the check session one)?I could also just be thinking about this incorrectly, so feel free to point that out if that's the case.